Tuesday, December 12, 2017

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

In addition to the 33 vulnerabilities addressed, Microsoft has also released an update for Microsoft Office which improves security by disabling the Dynamic Data Exchange (DDE) protocol. This update is detailed in ADV170021 and impacts all supported versions of Office. Organizations who are unable to install this update should consult the advisory for workaround that help mitigate DDE exploitation attempts.

Friday, December 8, 2017

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between December 01 and December 08. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Overview

Talos has discovered a remote code execution vulnerability in the ACDSee Ultimate 10 application from ACD Systems International Inc. Exploiting this vulnerabilities can potentially allow an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted .PSD (Photoshop) file and the victim opens it with the ACDSee Ultimate 10 application, the attackers code could potentially be executed with the privileges of the local user.

Thursday, December 7, 2017

This blog post is authored by James Spadaro of Cisco ASIG and Lilith Wyatt of Cisco Talos.

Imagine a scenario where you, as a vulnerability researcher, are tasked with auditing a network application to identify vulnerabilities. By itself, the task may not seem too daunting until you learn of a couple conditions and constraints: you have very little information to work off of on how the network applications operates, how the protocols work, and you have a limited amount of time to conduct your evaluation. What do you do?

In these scenarios, searching for and identifying vulnerabilities in network applications can be a monumental task. Fuzzing is one testing method that researchers may use in these cases to test software and find vulnerabilities in an efficient manner. However, the question that then comes up is how does one fuzz quickly and effectively?

Wednesday, December 6, 2017

Overview

This report shows how to deobfuscate a custom .NET ConfuserEx protected
malware. We identified this recent malware campaign in our Advanced
Malware Protection (AMP) telemetry. Initial infection is via a malicious
Word document, the malware ultimately executes in memory an embedded
payload from the Recam family. Recam is an information stealer. Although
the malware has been around for the past few years, there's a reason
you won't see a significant amount of documentation concerning its
internals. The authors have gone the extra mile to delay analysis of the
sample, including multiple layers of data encryption, string
obfuscation, piecewise nulling, and data buffer constructors. It also
relies on its own C2 binary protocol which is heavily encrypted along
with any relevant data before transmission.